ķ 9(Zc@sQdZddlZddlmZddlmZd„Zd„Zd„ZdS(s+ Helper functions used for generating deterministic initialization vectors (IVs). Deterministic IVs are used to reduce the probability of IV/message-key pair collisions when caching data keys. Prior to introducing caching, a statement could safely be made that every encrypt call resulted in a new data key which would only be used with a single message. With the introduction of caching, this statement by definition becomes false. This is a problem because there are cryptographic limits on the number of times AES can be safely invoked using the same key (or using keys derived from the same key) and a random IV. In framed messages, this manifests as the total number of frames which can be safely encrypted under the same data key across all messages for which the data key is reused. By using a random IV for each frame, we actually decrease the number of frames which can be safely encrypted under the same data key. Rather than attempting to track the number of frames across messages, we decided to move to a deterministic IV constructed in such a way that it is guaranteed to never conflict within the same message. This means that we can consider only the likelihood of KDF collisions, which raises the limit sufficiently that we can assume that every message contains the maximum 2^32 invocations (2^32 - 1 frames + header auth). Each IV is constructed from two big-endian byte arrays concatenated in the following order: 1. **64 bytes** : 0 (reserved space for possible future use) 2. **32 bytes** : frame sequence number (0 for the header auth calculation) i˙˙˙˙N(tActionNotAllowedError(tMAX_FRAME_COUNTcCsd|dks|tkr9tdjd|dtƒƒ‚n|jd}d|}|tjd|ƒS(sNBuilds the deterministic IV for a body frame. :param algorithm: Algorithm for which to build IV :type algorithm: aws_encryption_sdk.identifiers.Algorithm :param int sequence_number: Frame sequence number :returns: Generated IV :rtype: bytes :raises ActionNotAllowedError: if sequence number of out bounds isCInvalid frame sequence number: {actual} Must be between 1 and {max}tactualtmaxits>I(RRtformattiv_lentstructtpack(t algorithmtsequence_numbert prefix_lentprefix((sQ/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/crypto/iv.pytframe_iv.s    cCs t|dƒS(sŲBuilds the deterministic IV for a non-framed body. :param algorithm: Algorithm for which to build IV :type algorithm: aws_encryption_sdk.identifiers.Algorithm :returns: Generated IV :rtype: bytes i(R (R ((sQ/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/crypto/iv.pytnon_framed_body_ivBscCs d|jS(sŨBuilds the deterministic IV for header authentication. :param algorithm: Algorithm for which to build IV :type algorithm: aws_encryption_sdk.identifiers.Algorithm :returns: Generated IV :rtype: bytes R(R(R ((sQ/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/crypto/iv.pytheader_auth_ivMs( t__doc__Rtaws_encryption_sdk.exceptionsRt$aws_encryption_sdk.internal.defaultsRR RR(((sQ/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/crypto/iv.pyt's